PP1268

FSSC 22000 v5.1 Certification requirements

Revision 19 (January 2023)

BSI Certification
Requirements
BSI Standard Terms and Conditions
Addendum

FSSC 22000 v5.1

Page 1 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

Contents

Revision History.............................................................................................5
1 Introduction............................................................................................8
2 Accreditation status and BSI scope of accreditation...................................8
3 The recognition process...........................................................................9
3.1 Initial enquiry....................................................................................................... 9
3.2 Application for certification and assessment........................................................9
3.2.1 Application form client contact.............................................................................9
3.2.2 Annual fee............................................................................................................. 9
3.3 COIDs - Certified Organization Identification Codes...........................................10
3.4 Initial contact..................................................................................................... 10
3.5 Conduct a self-Assessment / pre-assessment audit (not mandatory).................10
3.6 Identifying the scope of certification..................................................................10
3.7 Certification cycle............................................................................................... 13
3.7.1 Planning audits................................................................................................... 14
3.8 Audit criteria....................................................................................................... 14
3.8.1 Legal and regulatory audit requirements............................................................16
3.9 The certification audit........................................................................................ 17
3.10 Surveillance audits............................................................................................. 17
3.11 Recertification.................................................................................................... 17
3.12 Audit duration.................................................................................................... 18
3.12.1 Basic guides for audit duration...........................................................................18
3.12.2 Audit duration calculation...................................................................................19
3.12.3 Rounding rule...................................................................................................... 20
3.12.4 Minimum audit duration......................................................................................20
3.12.5 Reduction in time................................................................................................ 21
3.12.6 Additional time.................................................................................................... 21
3.12.7 Multisite.............................................................................................................. 23
3.12.8 Transition to FSSC 22000....................................................................................25
3.12.9 FSSC 22000 transfer...........................................................................................25
3.12.10 FSSC 22000 follow up audits............................................................................25
3.13 Audit report........................................................................................................ 25
3.13.1 Timeline to send the report to the (certified) organization..................................26
3.14 Non-conformities................................................................................................ 26

Page 2 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3.14.1 Nonconformities levels.......................................................................................26

3.15 Granting certification......................................................................................... 28
3.16 Maintaining certification..................................................................................... 28
3.17 ICT audit approach and full remote audits.........................................................28
3.17.1 Definition............................................................................................................ 28
3.17.2 ICT audit approach.............................................................................................. 29
3.17.1 Full remote audit................................................................................................. 32
4 Managing audits....................................................................................34
4.1 Head office functions.......................................................................................... 34
4.2 Off-site activities................................................................................................ 35
4.3 Multi-site certification......................................................................................... 35
4.3.1 Requirements for the central function................................................................36
4.3.2 Nonconformity management (for multi-sites).....................................................36
4.4 Unannounced audits........................................................................................... 37
4.4.1 Frequency........................................................................................................... 37
4.4.2 Unannounced audit execution............................................................................37
4.4.3 Actions if organization refuses to participate in the unannounced audit.............38
4.5 Additional scheme / combined & integrated audit.............................................38
4.6 Transfer of certification...................................................................................... 38
4.7 Transition audits................................................................................................. 38
4.8 Extension and reduction of scope......................................................................39
4.9 Follow up audits................................................................................................. 39
4.10 Special audits..................................................................................................... 40
4.11 Short – notice audits........................................................................................... 40
5 Implementation of FSSC 22000...............................................................40
5.1 Learn about the FSSC 22000 Scheme................................................................40
5.2 FSSC 22000 v5.1 Documents.............................................................................41
5.3 FSSC Database................................................................................................... 41
5.3.1 Data ownership................................................................................................... 41
5.3.2 BSI Portal on FSSC Database...............................................................................41
6 Certificate Suspension, Withdrawal or Scope Reduction...........................41
6.1 Action Upon Suspension, Withdrawal and Scope Reduction...............................42
7 Use of Marks (FSSC, ANAB and BSI)........................................................42
7.1 Use of the FSSC Logo......................................................................................... 42
7.2 Use of the FSSC logo by Certified Organizations................................................43

Page 3 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

7.3 Design of the FSSC Logo.................................................................................... 43

7.4 FAQ's regarding FSSC logo................................................................................. 43
8 Confidentiality.......................................................................................45
9 Additional Obligations............................................................................45
9.1 Complaints......................................................................................................... 45
9.2 Certification Agreement..................................................................................... 45
9.3 Assessment Scheduling...................................................................................... 46
9.4 Misleading Statements....................................................................................... 46
9.5 Communication Obligations............................................................................... 46
9.6 Agreement on information sharing.....................................................................46
9.7 Management of extraordinary serious event......................................................47
9.8 Observers........................................................................................................... 47
9.9 Winessing Assessment by CB.............................................................................48
9.10 TE (Technical Expert) use by CB.........................................................................48
9.11 FSSC Website..................................................................................................... 48
9.12 Complaints and Appeals..................................................................................... 48
10 Impartiality............................................................................................49
10.1 In house and open FSSC external trainings........................................................49
10.2 Consultancy........................................................................................................ 49
10.3 Auditor rotation in FSSC 22000 certification audits............................................49

Page 4 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

Revision History

Rev Revision Approved Page Sec.

Author Brief Description of Change
No Date by No No

1 February Gaynor Todd New document

2018 Clow/ Redwood
Luanshya
Naidoo

2 July 2018 Gaynor Todd 10 3.12 Changed word from three to

Clow Redwood six.

3 January Gaynor Todd 15 Contact details

2019 Clow Redwood
11 5
4 May 2019 Ana Todd Various updates
Cicolin Redwood
10 3.10
5 May 2019 Ana Todd RAM for certification and audit
Cicolin Redwood cycles
The entire
6 July 2019 Ana Todd Various updates to be in
document was
Cicolin Redwood accordance with FSSC V5
reviewed
Cover page
7 November Ana Todd Correction in audit duration
3.7 / page 10
2019 Cicolin Redwood comments Correction in audit
3.13.2.1/ page
duration comments
17
Change name from
“certification guidebook” to
“Certification Requirements”
Updating audit criteria
Timline for Minors NC
11 3.7
8 March 2020 Ana Todd Inclusion the link for the ISO
18
Cicolin Redwood 22000 Guideline; Inclusion the
21 3.3.2.
new timeline nfor minor
23 1
NC;Inclusion of FSMA;
27 4
Inclusion of BoS Decision List –
5.1.2
February 2020 and Updated
5.2
on March 2020; Inclusion the
10.5
new timeline for the FSSC
Portal;Inclusion of FSSC
Position for management of
serious even, Including COVID-
19
28 10.6
9 May 2020 Ana Todd Include update provided by

Page 5 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

29
Cicolin Redwood FSSC through BoS decision list,
May20
21 3.15.
10 June 2020 Ana Todd Inclusion the FSSC
27 3
Cicolin Redwood requirements related to the
30 11.6
use of ICT
31, 32 11.8
11.9
15 3.11
11 August Ana Todd FTE Information
17 3.11.
2020 Cicolin Redwood
22 3 Update additional minimum
27 3.15. time when use translator
28 3 Inclusion of transition audits
7
8 Use of Marks
9
21-27 3.17
12 October Ana Todd Incoportaion of updates made
38 11.4
2020 Cicolin Redwood by FSSC on 05/10/20 related
39
to annexx 09 (ICT Audit
Approach) and the publication
of the addendum realated to
Full remote audits
9, 3.6,3.
13 February Ana Todd Inclusion of v5.1 upgrade and
10,11, 6,3.7,
2021 Cicolin Redwood clarification of some sections
12,13, 3.11,
15,16, 3.12,
17- 3.13,
21,22, 3.16,
23,30, 4.2,4.
31,33, 3,4.4,
34,36- 4.6,4.
39,42, 10,5.
45 and 2,5.3,
46 6.1,9.
6,10
and
12
37 12
14 March 2021 Ana Todd Inclusion of FSSC updates
3.16.1 13
Cicolin Redwood published in February 2021
5.3.1 29
through the BoS decision list
12.2 38
46
47
4.3.1 32
15 March 2021 Ana Todd Inclusion of OFI from internal
33
Cicolin Redwood audit part 01 as highlighted on
indicated section
5.2 37
16 April 2021 Ana Todd Correction on the version of

Page 6 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

Cicolin Redwood the version of the scheme

3.11.6. 20
17 June 2021 Ana Todd Inclusion of FSMA addendum
7
Cicolin Redwood and ISO 23412 addendum
3.6.77.
8
3.11.7. 22
18 September Ana Todd Updates related to:
1 24
2022 Cicolin Redwood
4.6 37 - Repeated NCs
7.2 41 - Transfer
7.3 42
7.4 43 - Logo use
9.7 45 - Recalls
- Multisite
2 8
19 January Ana Alfred Au Inclusion of BSI provisional
3.3 10
2021 Cicolin license for category D
3.6 13
3.8 15 Exclusion of allowance related
3.12.2 16 to COVID 19
9.7 19 Inclusion of COID
47

1 Introduction

This certification requirements document is designed to assist your site with the
requirements for certification to the Food Safety Systems Certification (FSSC) standard

Page 7 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

version 5.1 throughout the BSI Group. This document is considered an addendum to the
BSI Standard Terms and Conditions and therefore forms part of the contract with BSI.
The FSSC 22000 v5.1 certification scheme was launched in November 2020. The main
reasons for publishing a revised version include:
 Incorporating the GFSI benchmarking requirements version 2020.1
 Strengthening the licensing process and the integrity program
Minor editorial changes or amendments

2 Accreditation status and BSI scope of accreditation

BSI holds a valid global ISO/IEC 17021-1:2015 accreditation, including ISO/TS 22003:2013 .
The Accreditation Body is ANAB and the Scheme owner is The FSSC Foundation.
BSI operate in the categories and subcategories covered by the accreditation, being
categories C, G, I and K as per detailed below:
FSSC 22000 Category FSSC 22000 Subcategory
CI - Processing of perishable animal products
C - Food Manufacturing CII - Processing of perishable plant products
CIII - Processing of perishable animal and plant products (mixed
products)
CIV - Processing of ambient stable products

GI - Provision of transport and storage services for perishable food

G - Transport and Storage and feed
GII - Provision of transport and storage services for ambient stable
food, feed and packaging materials
I - Production of Food I - Production of Food Packaging and Packaging Material
Packaging and Packaging
Materials

K - Production of K - Production of Biochemicals

Biochemicals

 BSI license includes the following addendums: FSMA and ISO 23412.

 BSI currently holds a provisional license for the category D. All applications (SRF- Service
Request Form and CRF – Contract Review Form) related to this category must be approved
by FCoE. In case a contract related to FSSC category D is accepted by client, the FCoE must
be notified as the FSSC audit can only be delivered along with ANAB Witness audit.
o Category D  Animal Feed Production
 Subcategory DI: Production of feed
 Subcategory DIIa: Production of pet food (only for dogs and cats)
 Subcategory DIIb: Production of pet food (for other pets)

Page 8 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3 The recognition process

The following section outlines the steps that apply during the BSI recognition process for
FSSC. BSI reserves the right to provide its clients and those that request quotations with
marketing and technical information relating to standards, training and compliance
services.

3.1 Initial enquiry

BSI will respond to either verbal or written expressions of interest from sites interested in
one or more of our programs. If your site is located near one of BSI’s offices, an advisory
visit may be arranged to discuss your recognition requirements and how BSI can help your
site achieve them.
BSI will also, on request and receipt of a request for proposal, prepare a proposal suited to
your site’s needs.

3.2 Application for certification and assessment

Receipt of your site’s application form (or authorized acceptance of a valid BSI proposal),
along with the accompanying payment of the non-refundable application fee (or invoicing
instructions) together with this document forms the contract between your site and BSI.
Your requirements will be entered into our database and an auditor will be appointed to
look after your certification or assessment requirements. The auditor will be your primary
point of contact with BSI and is responsible for ensuring that our certification/assessment
services are delivered to your site in the most effective manner possible.

3.2.1 Application form client contact

1) BSI will require completion of an official application form, signed by an authorized

representative of the applicant site
2) It is the responsibility of the applicant site to ensure that adequate and accurate
information is shared with BSI about the details of the applicant site

3.2.2 Annual fee

1) BSI shall charge an annual fee to all sites certified against the FSSC Scheme. This fee
will be paid by BSI to The FSSC Foundation
2) The FSSC Foundation shall decide annually on the fee amount

3.3 COIDs - Certified Organization Identification Codes

The Foundation FSSC has implemented the “Certified Organization Identification Codes
(COIDs)” to maintain the traceability of certified organizations within the FSSC Assurance
Platform and the industry.

Page 9 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

The COID is a unique code that will be allocated by FSSC to every (certified) organization
that is registered in their Assurance Platform. The COID stays with the organization to
ensure traceability, also in the event of a transfer. BSI shall communicate the COID code
to the organization once generated in the Assurance Platform, and to the accepting CB
when requested in the case of a transfer.
The COID will be displayed and available on the FSSC public register.

3.4 Initial contact

As soon as practicable after receipt of your signed application/proposal, a BSI auditor

(or nominated representative) will contact your site. Your auditor will seek to establish a
working relationship between your site and BSI, and to confirm your recognition
requirements in terms of the certification or assessment services, standards or codes
of practice, locations, and activities and/or products to be included in the scope of
certification.
The auditor will seek to gain an appreciation of the structure of your site and the
activities being conducted. In particular the auditor will:
 Seek an appreciation of the nature and scope of your site’s activities, structure
and location(s), including any activities for which certification is being excluded;
and
 Determine the status of system documentation and implementation including
organizational policies, objectives and targets.
If your site is working with a consultant it is often useful for that person to be party to
the communication process.

3.5 Conduct a self-Assessment / pre-assessment audit (not mandatory)

A self-assessment or pre-assessment audit can assist in identifying gaps in your site’s

FSSC System so that corrective action can occur before engaging BSI for a full certification
audit. It can be conducted using internal resources, an FSSC consultant, or an FSSC
auditor.
Once your site has signed a contract with BSI, BSI can provide an assessment checklist
free of charge to utilize in a self-assessment / pre-assessment audit.

3.6 Identifying the scope of certification

FSSC certification is site and product/ process specific. When activities are carried out in
different premises but are overseen by the same senior, operational, and technical
management, and are covered by the one FSSC System, the scope can be expanded to
include those off-site activities.
The scope of certification forms part of the certificate of registration. It describes the food
sector categories (refer to table below) and the products processed and handled on that
site. The certificate of registration outlines the location of the site and nature and extent
of the FSSC certification.

Page 10 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

The audit scope will be agreed between your site and BSI before the certification audit
begins. The scope of the audit shall cover the required level of certification, the food
sector categories, and the products listed under the scope of certification for a site. The
audit scope shall cover all processes under the control of your site from raw material
receipt to shipment of finished product.
BSI shall define the relevant scope for the organization applying for FSSC 22000
certification. The audit scope shall describe the extent and boundaries of the audit and
shall be in accordance with the FSSC rules. BSI shall not exclude activities, processes,
products or services when those activities, processes, products or services can have an
influence on the food safety of the end products as defined in the scope of certification.
Where permitted exclusions apply, this shall be motivated in the report and the certificate
shall reference the exclusion as part of the scope statement.
Category FSSC 22000
Example of included activities and products
subcategory
Production of animal products
Activities / Processes: Slaughtering, deboning,
evisceration, gutting, cutting, sorting, washing,
pasteurizing, trimming, curing, fermentation,
CI - Processing of
smoking, freezing, chilling, cooling, scalding.
perishable animal
products Final product examples: fish, meat, poultry, eggs,
frozen and/or chilled dairy products and
fish/seafood products.
Production of plant products
C Activities / Processes: De-shelling, drying,
Food
packing, sorting, washing, rinsing, fluming,
Manufacturing trimming, slicing, pasteurizing, roasting, scalding,
peeling, de-husking, cooling, chilling, freezing and
CII - Processing of final product.
perishable plant
products Final product examples: chilled or frozen e.g.
fresh fruits, fresh juices, vegetables, grains, nuts
and pulses, meat replacers based on plant
materials (e.g. soy), frozen water-based products.

Production of mixed animal and plant products

Activities / Processes: Mixing, cooking, packing,
CIII - Processing of ensemble cooling, chilling, freezing
perishable animal Final product examples: mixed products, pizza,
and plant products
lasagna, sandwich, dumplings, ready-to eat
(mixed products)
meals.
Production of food products from any source that
are stored and sold at ambient temperature.
CIV - Processing of Activities / Processes: Mixing, cooking, packing,
ambient stable bottling, brewing, drying, pressing, milling,

Page 11 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

Category FSSC 22000

Example of included activities and products
subcategory
products blending, roasting , refining, ensemble, distilling,
drying, canning, pasteurizing, sterilization.
Final product examples: canned products,
biscuits, bread, snacks, oil, drinking water,
beverages alcoholic and non-alcoholic, pasta,
flour, sugar, food-grade salt, dairy products with
long shelf life, margarines.

Production of food/feed packaging, food/feed

packaging materials and intermediate products
I for:
I
Production of
Production of Food - direct food contact surfaces or materials (i.e.
Food Packaging
and Packaging
Packaging and physically touching the food or in contact with
Packaging Material headspace) that will be in contact with the food
Material
during normal use of the food packaging and/or;
- indirect food contact surfaces or materials that
are not in direct contact with the food during
normal use of the food packaging, but there is the
possibility for substances to be transferred into
the food.
Packaging material used for personal care,
pharmacy or other uses are outside the scope of
the standard. Disposable tableware can only be
certified when it is sold together (and as part of)
the food product. Examples are spoons that are
packed with yoghurt, forks or chopsticks packed
with ready-to-eat food. The intended use,
including that it is sold together (and as part of)
the food product, shall be clearly specified in the
I scope statement.
Production of Food
Packaging and Activities / Processes: All manufacturing activities
Packaging Material for plastic, carton, paper, metal, glass, wood and
other materials to be used as packaging materials
in the food/feed industry.
Final product examples: bottles, boxes, jars,
barrels, cork, cans; devices for closing packaging
materials such as tape, plastic strips, or other
when the manufacturer can prove that they
belong to a food/ feed packaging material;
Production of labels with direct food contact.

Production of Bio-Chemicals and applies to the

production of food and feed additives, vitamins,

Page 12 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

Category FSSC 22000

Example of included activities and products
subcategory
minerals, bio-cultures, flavourings, enzymes and
K - Production of processing aids but excludes pesticides, drugs,
K fertilizers and cleaning agents.
Biochemicals
Production of Activities / Processes: Mixing, cooking, packing,
Biochemicals
distilling, drying, canning, sterilization for all
products at ambient, chilled and frozen
temperatures.
Final product examples: food and feed additives,
vitamins, minerals, bio-cultures, flavorings,
enzymes and processing aids, gases as
ingredients and/or packaging gas.

GI - Provision of Transport and storage with cooling, chilling, or

transport and frozen temperatures. Additional activities such as
G storage services for re-packing of packed product, freezing and
Transport and perishable food and thawing.
storage feed.
GII - Provision of Transport and storage. Additional activities such
transport and as re-packing of packed product.
storage services for
ambient stable
food, feed and
packaging
materials.
DI - Production of Production of single or multiple products, whether
feed processed, semi-processed or raw, which are
intended to be fed to food producing animals.
DIIa - Production of Production of single or multiple products, whether
D pet food (only for processed, semi-processed or raw, which are
Animal Feed dogs and cats) intended to be fed to non-food producing animals
Production being dogs and cats. Examples: Dry and wet pet
(provisional food, treats, cooled, chilled, frozen and ambient
license) stable.
DIIb - Production of Production of single or multiple products, whether
pet food (for other processed, semi-processed or raw, which are
pets) intended to be fed to non-food producing animals
other than dogs and cats. Examples: Dry and wet
pet food, treats, cooled, chilled, frozen and
ambient stable

3.7 Certification cycle

The 3-year certification cycle shall be applied to FSSC 22000 and shall be respected at all
times. The first three-year certification cycle begins with the certification decision.
Subsequent cycles begin with the recertification decision. Surveillance and re-certification
audits shall be scheduled in accordance with the reoccurring audit month, (RAM). The

Page 13 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

interval between stage 1 and stage 2 audits shall not be longer than 6 months. The Stage
1 shall be repeated if a longer interval is needed.

If BSI has not completed the recertification audit or if is unable to verify the management
of non-conformity in accordance with FSSC 22000 requirements prior to the expiry date of
the certification, the recertification shall not be recommended, and the validity of the
certification shall not be extended. The client shall be informed, and the consequences
shall be explained.
Following expiration of certification, BSI can restore the certification within 6 months
provided that the outstanding recertification activities are completed (in this case expire
date will be based on prior certification cycle), otherwise at least a stage 2 shall be
conducted.

3.7.1 Planning audits

The basis of timings applied to the certification and audit cycles for FSSC 22000 scheme is
that each certificate shall become attached permanently to a month for its CAVs
(surveillances) and RAs (Re-certifications) audits. This month is defined as a Reoccurring
Audit Month (RAM) in which it is expected that these audits shall occur on a regular basis

3.8 Audit criteria

The audit criteria represent set of requirements used as a reference against which
objective evidence is compared. FSSC 22000 audit criteria shall include the requirements
as below.
FSSC 22000 Category Audit Criteria
 ISO 22000:2018
 ISO/TS 22002-1:2009
C
 FSSC Additional Requirements*
Food Manufacturing  BoS decision list**

Page 14 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

FSSC 22000 Category Audit Criteria

 The defined processes and documentation of the
management system developed by the organization
K
 Related Statutory/regulatory requirements**
Production of Biochemicals
 Related Customer requirements
 ISO 22000:2018
 ISO/TS 22002-5:2019
G - Transport and Storage  FSSC Additional Requirements*
 BoS decision list**
 The defined processes and documentation of the
management system developed by the organization
 Related Statutory/regulatory requirements**
 Related Customer requirements
 ISO 22000:2018
I  ISO/TS 22002-4:2013
Production of Food Packaging  FSSC Additional Requirements*
and Packaging Material  BoS decision list**
 The defined processes and documentation of the
management system developed by the organization
 Related Statutory/regulatory requirements**
 Related Customer requirements

 ISO 22000:2018
 ISO/TS 22002-6:2016 (DI and DIIb) / ISO/TS 22002-1:2009
(DIIa)
 FSSC Additional Requirements*
D – Animal Feed Production
 BoS decision list**
(provisional license)  The defined processes and documentation of the
management system developed by the organization
 Related Statutory/regulatory requirements***
 Related Customer requirements


Notes:
The Board of Stakeholders (BoS) Decision list is a document which contains decisions
applicable to the FSSC 22000 Scheme. The decisions overrule or provide further
clarification on existing Scheme rules and have to be implemented and applied within the
defined transition period. The decision list is dynamic and can be adjusted by the BoS
when deemed necessary.
The Board of Stakeholders is composed of representatives of the food sectors covered by
the FSSC 22000 Scheme. The BoS is responsible for approval of the content and
functioning of the FSSC 22000 scheme. The Board has the ability to provide binding
decisions and voluntary recommendations for the associated Certification Bodies,
Accreditation Bodies and Training Organizations with respect to the FSSC 22000 Scheme.
** The BoS decision list can be found on the FSSC website and shall be considered as part
of the audit criteria when there are decisions which relates to an audit requirement.
* FSSC 22000 Additional requirements applicable to the categories C, D (provisional license), G, I
and K include the below and the related requirement are available here (Part 2, Req. 2.5 – Pages:
18 -22)

Page 15 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

o Management of Service and purchased materials (C, G, I & K)

o Product Labelling (C, G, I & K)
o Food Defense (C, G, I & K)
o Food Fraud Mitigation (C, G, I & K)
o Logo Use (C, G, I & K)
o Management of Allergens (C, G, I & K)
o Environmental Monitoring (C, I & K)
o Formulation of Products (D)
o Storage and warehousing (C, D, G, I & K)
o Hazard control and measures for preventing cross-contamination (C & I)
o PRP verification (C, G, I, K & D)
o Product development (C, I, K & D)
o Health Status (D)
o Requirements for organizations with multi-site certification (G)
** BSI certifies conformance to a management system standard (FSSC 22000) which includes
requirements for compliance with legislation and regulatory requirements, however BSI is not
conducting a compliance audit and, therefore, cannot certify legal compliance.
FSSC has published some guidance to ensure interpretation alignment related the below:
 Guidance: Food defense, available here.
 Guidance: Food fraud mitigation, available here.
 Guidance: Food safety culture, available here.
The requirements relating to food safety culture are embedded throughout ISO 22000:2018
as set out on the FSSC Guidance document available above. A summary on how the
organization meets the food safety culture requirements shall be provided in the audit
report under ISO 22000 section 5. Auditors can raise nonconformities against the relevant
sub-clauses in ISO 22000 or where it is a systemic issue, to clause 5 of ISO 22000:2018.
 Guidance: Transport tank cleaning, available here. In support of the guidance document on
Transport Tank Cleaning, published in December 2020, FSSC has developed a case study to
illustrate how organizations can use the guidance document during an audit at a Food
manufacturing facility. The case study is available here.
 Guidance: Environmental monitoring, available here.
When Scheme Addendum applies (FSMA – see PP1489, ISO 23412 – see PP1689), the related
requirements also become part of the audit criteria.

3.8.1 Legal and regulatory audit requirements

Legislative and regulatory compliance is a requirement of FSSC 22000. The maintenance

and evaluation of legal compliance is the responsibility of the client. BSI’s role is to
establish confidence that the FSSC 22000 system functions adequately in this regard and
to confirm that the FSSC 22000 system is capable of achieving continued compliance.

Page 16 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

BSI will verify that the client has included legal and regulatory compliance in their FSSC
22000 system and can show that action has been taken in cases of non-compliance with
relevant legislation. BSI will not issue certification to a site where an infringement of food
safety related legislation or regulation is discovered. Where an action plan to achieve
compliance has been agreed with the appropriate regulator an exception may be
requested.
BSI will notify the client if an infringement is discovered. Action will depend upon the
nature of the infringement, corrective action proposals and the stance taken by the
appropriate enforcement authority but would normally constitute a major non-conformity
followed up with a re-audit visit.
Similarly, action will be taken where a post certification infringement is discovered. The
conditions of contract require the client to notify BSI of post certification breaches. De-
registration is an option for persistent failure to comply.
Where licenses/consents/permits have not been issued by appropriate authorities,
including incomplete document submissions, and steps are being taken to achieve
compliance in agreement with the regulator a non-conformity should be raised

3.9 The certification audit

The FSSC certification audit consists of two stages:

1) The initial auditing for certification is always carried out at the production site of the
applicant site and is conducted in two separate stages:
a) The stage 1 audit verifies that the system has been designed and developed in
accordance with your site’s top management commitment to conform with FSSC
scheme requirements. The objective of this audit is to assess the preparedness of
your site to proceed to the stage 2 audit
b) The stage 2 audit substantiates top management’s claim by auditing
implementation of the food safety management system
c) The activities subject to the proposed certification scopes shall be assessed during
the initial certification audit

3.10 Surveillance audits

1) Surveillance audits shall assess and report on conformity with all Scheme requirements
including the use of marks and references to certification
2) At least one of the two annual surveillance audits shall be unannounced
3) The audit program shall also consider the results of any previous audits including the
unannounced audit(s)
4) If not, all audit objectives are fulfilled during an unannounced audit, an additional audit
shall be performed of which the nature shall be determined by BSI

Page 17 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3.11 Recertification

1) The recertification audit must be planned and conducted in due time to enable timely
renewal of the certificate before the expiry date
2) The purpose of this audit is to confirm the continuing conformity of the food safety
management system as a whole with all FSSC scheme requirements
3) The recertification activity also includes a review of the food safety management
system over the whole period of certification, including previous surveillance audit
reports and complaints received
4) BSI decides on renewal of the certification cycle on the basis of the recertification audit
which must meet the same requirements as an initial audit

3.12 Audit duration

The FSSC 22000 audit duration is determined by using the following factors:
 Product Category;
 Number of HACCP plan/study;
 Relevant management system in place
 Number of Employees
o Number of Employees: The number of employees involved in any aspect of
food safety shall be expressed as the number of Full Time Equivalent (FTE)
Employee. When an organization deploys workers in shifts and the products
and/or processes are similar, the FTE number will be calculated based on
employees on the main shift.
o FTE shall include: Production/ manufacturing/ supporting activities/
wholesale/ transport/ quality assurance/ research and development/ office
based, full time, part time and seasonal workers.
o When filled out the application (Service Requet Form), it is the responsibility
of the applicant site to ensure that adequate and accurate information is
shared with BSI about the details of the applicant site.

3.12.1 Basic guides for audit duration

BSI shall calculate the audit duration based on the information gathered from the
organization’s application and following the requirements of ISO/IEC 17021-1, ISO/TS
22003 and FSSC 22000 as follows:
 The duration of an audit day is eight (8) hours (unless otherwise stated in local
legislation);
 The effective audit duration does not include a lunch break (unless otherwise
stated in local legislation);
 The audit duration calculation for FSSC 22000 shall be documented in the contract
review form, including justifications for reduction or addition of time based on the
minimum audit duration;

Page 18 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

 The audit duration does not include planning, reporting or travel activities, only
actual auditing time;
 The audit time shall only apply to auditors that are fully qualified, registered FSSC
22000 auditors. Trainee auditors do not contribute to audit duration;
 Where the FSSC 22000 audit is undertaken in combination or integration with other
food safety audits as a combined audit, the audit time stated in the report shall be
of the total combined audit time and match the audit plan. Total audit duration is
then longer than for FSSC 22000 alone. This is considered as an increase in audit
duration and the reason for this shall be justified in the contract review form.

3.12.2 Audit duration calculation

The total audit duration/site audit time (for a single site) is defined as T s + TFSSC.
1st Calculate the TS : The minimum audit time for a single site, T S, expressed in days, is
calculated as follows:
TS = (TD + TH + TMS + TFTE), where:
 TS = the minimum audit time for a single site;
 TD = is the basic audit time, in days;
 TH = is the number of audit days for additional HACCP studies
 TMS = is the number of audit days for absence of relevant management system
 TFTE = is the number of audit days per number of employees

Basic, on-site Number of Number of audit Number of audit days

Category
audit time, in audit days for days for absence per number of
audit days each of certified employees
additional relevant (FTE on the man
TD HACCP study management shift)
system
TH TFTE
TMS

C 1.5 0.50
1 to 19 = 0
D 20 to 49 = 0.5
1.5 0.5 50 to 79 = 1.0
(Provisio
80 to 199 = 1.5
nal 200 to 499 = 2.0
license) 0.25 500 to 899 = 2.5
900 to 1299 =3.0
I 1.0 0.25 1300 to 1699 = 3.5
1700 to 2999 = 4.0
K 1.5 0.50 3000 to 5000 = 4.5
>5000 = 5.0
G 1,0 0,25

Page 19 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

2nd Calculate the TFSSC : TFSSC shall be calculated as follows:

Number of Employees Number of HACCP studies TFSSC

(FTE)

< 250 1 or 2 HACCP studies 0.5 auditor day

and

3 HACCP studies or more

> 250 1.0 auditor day
or

3rd Preparation and Report Time : Preparation and reporting time shall be in addition to
the on-site audit time:
 At least 0.25 auditor day (2 working hours) shall be added to the FSSC 22000 site
audit time for audit preparation.
 At least 0.5 auditor day (4 working hours) shall be added to the FSSC 22000 site
audit time for audit reporting.
In summary the FSSC 22000 calculation shall look as follow:

Audit Calculation
Type

IA IA (Initial Audit) = Ts + TFSSC + Preparation Time + Report Time

o Stage 01: 1/3 of (Ts + TFSSC )
o Stage 02: 2/3 of (Ts + TFSSC ) + Preparation Time + Report Time +*
o Stage 01 + Stage 02 = IA

CAV 01 (Surveillance 01) = (1/3 x Ts) + TFSSC + Preparation Time + Report Time
CAV +*
CAV 02 (Surveillance 02) = (1/3 x Ts) + TFSSC + Preparation Time + Report Time
+*

RA RA (Re-certification) = (2/3 x Ts) + TFSSC + Preparation Time + Report Time+*

*= any other additional audit time need

3.12.3 Rounding rule

If after the calculation, the result is a decimal number, the exact hours may be used or
where rounding is applied to the number of days, this shall be rounded upwards to the
nearest half day (e.g. 5.3 audit days becomes 5.5).

Page 20 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3.12.4 Minimum audit duration

For all audit types (initial, surveillance, recertification), the following minimum audit
duration rules apply:
 The minimum Ts is 1 day;
 The minimum basic FSSC 22000 audit duration is then 1.5 - 2 days depending on
the FSSC additional time, however for categories C, I and K the minimum audit
duration shall always be 2 days;
The following exemptions apply to the minimum audit durations:
 For organizations with simple processes, having 5 FTE or less and maximum 1
HACCP study, further reductions are allowed, but the total time T s+ TFSSC shall be
minimum one day for all audit types.
 For organizations in category C, I or K that have simple processes, less than 20 FTE
and maximum 1 HACCP study, further reductions are allowed to a minimum audit
duration of 1.5 days for all audit types.
Where any of the exemptions above are applied, BSI shall ensure that the audit duration
allows for an effective audit, covering the full FSSC 22000 requirements.
The exemptions mentioned above shall be made manually on the related CRF (contract
review form) since one of the condition to apply the exemption is related to the
complexity of the processes which shall be analysed case by case by the contract
reviewer along with FTE and HACCP to decide if the exemptions can be allowed.
The minimum audit duration for the annual audits shall always be respected.

3.12.5 Reduction in time

When properly documented and justified, a reduction of the T s audit time can be made in
accordance with ISO/TS 2003:2013, Annex B. The reduction in T s audit time can never be
more than 0.25 auditor day (2 working hours) and the Ts cannot be reduced below 1 day.
The reduction cannot be applied on T FSSC.

3.12.6 Additional time

3.12.6.1 Use of translator:

Additional audit time shall be added in case a translator is required to support the audit
team. The minimum time recommended to be added is from 0.25 – 0.5 auditor day,
however the determination of the time to be added will depend on the time/duration that
the translator will be used.

3.12.6.2 Separate head office

For organizations where some functions pertinent to the certification are controlled by a
head office separate to the manufacturing site(s), the minimum additional time shall be
0.5 auditor day (4 working hours) to audit the functions pertinent to the certification at the
head office.

Page 21 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

When the responsible person from the head office attends the audit at manufacturing site,
no extra audit time is required to be calculated.
If the head office is located at a manufacturing site being audited, no additional time is
required.
Note:
 A maximum of 20% audit time reduction can be allowed for each of the single
manufacturing sites belonging to the group where the shared functions are
controlled by the (off-site) head office. The 20% audit time reduction is applied to
the minimum audit time (TS) only.
The same principle indicated above applies to central function/head office of multisite
organizations.

3.12.6.3 Off-site activities

For offsite manufacturing or service activities: a 50% audit time reduction of T S may be
applied for each additional site. Travel time between locations shall be included in the
audit plan.
For off-site storage: at least 0.25 auditor day (2 working hours) additional audit time shall
be added to the FSSC 22000 audit time for each off-site storage facility.
Cross docking: at least 0.25 auditor day (2 working hours) additional audit time shall be
added to the FSSC 22000 audit time for each cross-docking location.

3.12.6.4 Additional scheme / combined audit

Where the FSSC 22000 audit is undertaken in combination or integration with other food
safety audits as a combined audit, the duration shall be increased on the top of FSSC
22000 duration. The minimum FSSC audit duration shall always be respected. The audit
time stated in the report shall be of the total combined audit and match the audit plan.
Total audit duration is then longer than for FSSC 22000 alone. This is considered as an
increase in audit duration and the reason for this shall be justified in the contract review
form.

3.12.6.5 Extension of scope

If the scope extension audit is combined with one audit belonging to the regular cycle, the
total audit duration shall be calculated by including the parameters of the extended scope.
If a stand-alone extension of scope audit is required, the duration may vary depending of
the intended scope extension. The duration shall be approved through a contract review
process.
Both situations above refer to an extension of scope in a site already FSSC certified. If the
site is not FSSC certified yet, it shall be treated as a new certification process based on the
initial audit durations.

Page 22 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3.12.6.6 FSSC 22000 special audit

If a separate special audit is required, the duration may vary depending on what will be
audited.
If the special audit is combined with one audit belonging to the regular cycle, the audit
duration shall be increased on the top of FSSC 22000 regular audit duration.

3.12.6.7 FSMA PCHF addendum

This FSMA PCHF addendum is voluntary and can only be used in conjunction with a FSSC
22000 audit.
The additional auditing time needed to assess the FSMA PCHF addendum requirements
will be defined based on the size and complexity of the organization. The minimum audit
duration shall not be less than 0.5 man-days (4 hours) in all cases and does not include
planning, reporting or travel activities and, only relates to effective time spent auditing
the addendum.
The information provided in the addendum report is strictly for information only. It does
not constitute legal or regulatory advice. FSSC 22000 makes no warranties as to the
accuracy or completeness of the information.
The FSSC 22000 v5.1 FSMA PCHF addendum report shows that the additional FSMA
requirements have been reviewed based on sampling and any findings observed by the
auditor. The final report shall document the root cause analysis and the corrective action
plan that has been or will be undertaken by the organization.
This voluntary addendum to the FSSC 22000 audit report provides confirmation that
attention was paid to the implementation of the FSMA Preventive Controls Rule for Human
Food (PCHF) requirements.
The addendum only addresses areas not specifically covered or not covered to the same
extent as in FSSC22000 v5.1. The FSSC 22000 v5.1 FSMA PCHF report addendum should
always be read in conjunction with the FSSC 22000 Audit Report.
No certificate can be issued regarding FSMA addendum.

3.12.6.8 ISO 23412 addendum

This ISO 23412 addendum is voluntary and can only be used in conjunction with a FSSC
22000 audit in category G with a corresponding scope.
Meeting the requirements of the ISO 23412 addendum, in addition to the FSSC v5.1
requirements, results in compliance to ISO 23412:2020.
A successful certification review process (for both FSSC 22000 and the addendum), results
in an unaccredited addendum certificate in addition to the FSSC 22000 certificate.
The “valid until date” of the addendum certificate shall be aligned to that of the FSSC
22000 certificate. Where the first audit to the addendum takes place at a surveillance
audit, the resulting certificate will have a validity of less than 3 years due to the alignment
with the valid until date of the FSSC 22000 certificate. Subsequent cycles will be the same
as for FSSC 22000.

Page 23 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3.12.6.9 Complexity of the process and/or products and/or

technologies

In case auditor identifies that, due to the complexity of the process and/or products and/or
technologies applied, is necessary add audit time on the top of the regular FSSC audit
duration, country is required to submit the CRF (Contract Review Form) to be re-
approved.
In this case, the additional time shall be added on the top of FSSC regular audit duration
and the related justification shall be made.
Both additional time and related justification shall be documented on the related CRF
(Contract Review Form).

3.12.7 Multisite

3.12.7.1 Methodology

The central function audit duration shall always be calculated separately from the site
audits, regardless of whether the central office is based at a site or not.
The central function audit duration shall be calculated in the same manner as the site
calculation, however no 20% reduction may be applied. The calculation of the Ts is based
on the number of FTE that is responsible for the central function activities.
A maximum of 20% audit duration reduction can be allowed for each of the single sites
belonging to the multi-site group where shared functions are controlled by the (off-site)
central function. The 20% reduction is applied to the minimum audit time (Ts).
Notes:
 Stage 1 audit is one-third (1/3) and Stage 2 audit is two-thirds (2/3) of the initial audit duration.
 It is not required to audit all the sites during the Stage 1 audit – as a minimum it would be the Central
Function and some of the sites to determine readiness for Stage 2. If only the central function is audited
for the stage 1 audit for a multisite, then the site’s stage 1 duration is added to the site’s stage 2 duration
when the stage 2 for the site is delivered (e.g., the full duration for the initial certification for the site is
delivered).

3.12.7.2 Sampling

Multi-site certification (including sampling) is only allowed for category G (Transport and
storage).
To apply the sampling plan for category G, the related organization shall have more than
20 sites operating similar processes within the category. This applies to the initial
certification, to surveillance and to recertification audits. BSI shall justify its decision on
sampling for multi-site certification using the related CRF (contract review form).
The basis for determining the sample site shall include the below to ensure an effective
audit of the FSMS:
 For organizations with 20 sites or less, all sites shall be audited.

Page 24 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

 The sampling for more than 20 sites shall be at the ratio of 1 site per 5 sites as
indicated on the table below. All sites shall be randomly selected and, after the
audit, no sampled sites may be nonconforming.

Total number of sites

Number 21 22 23 24 25 26 2 2
7 8
of sites to
be audited
between 1 and
20

Number of sites above 20 0 1 2 3 4 5 6 7 8

Additional number of sites 0 1 1 1 1 1 2 2 2

to audit

Number of sites to be x 21 21 21 21 21 22 2 2
audited 2 2

 At least annually, an audit of the central office for the FSMS shall be performed by
the certification body;
 At least annually, surveillance audits shall be performed by the certification body on
the required number of sampled sites.
 Audit findings of the sampled sites shall be considered indicative of the entire
system and correction shall be implemented accordingly.
 The risk categories and performance of the sites shall be considered and might
result in an increase in the sample size.
 Where sites are added to the group, an audit is required before adding them to the
certificate either as a special audit or as part of the annual audit.
 Once every 3 years, the annual audit shall be conducted fully unannounced as set
out in, including the central function and the site audits.

3.12.8 Transition to FSSC 22000

When transitioning from ISO 22000 or an equivalent GFSI recognized certification to FSSC
22000 certification, the minimum FSSC 22000 certification audit duration shall be two-
thirds (2/3) of the initial certification audit time, with a minimum of 1 auditor day (8
working hours plus TFSSC). Requirement related to minimum duration, as stated on this
manual, applies.

Page 25 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3.12.9 FSSC 22000 transfer

The minimum time required will depend of the scope being transferred as well as the
outcomes from previous CB audit. FCoE recommend from 0.25 (2 hours) to 0.5 (4 hours).
Duration shall be documented on the related CRF (contract review form).

3.12.10 FSSC 22000 follow up audits

In the case where a follow up audit is required, duration will depend on the number of non-
conformities that need to be closed. It is up to the auditor decide the time needed to
conduct the follow up related to NC close out based on the quantity of NC as well as on its
categorization and associated risks. Duration for follow up audits does not need to be
approved by FCoE nor be registered on the CRF (contract review form).

3.13 Audit report

At the conclusion of the audit, the audit team will prepare a written report on the audit
findings and the audit team leader will present these findings to your site’s senior
management at the exit meeting.
Non-conformities will be discussed with your team during the auditor’s visit and outlined
at the exit meeting. Non-Conformities are categorized as Critical, Major and Minor.
These Non-Conformities and their categorization at the exit meeting are preliminary and
are subject to a technical review by BSI.
The audit findings include a summary of the overall compliance of your system with
the requirements of the relevant standard(s) or codes of practice.
If you are unclear regarding the meaning of anything in your report, please contact your
BSI auditor or local office.
The ownership of the certificate and audit report content is held by BSI. At the request of
food safety authorities (governmental), the Foundation and GFSI information related to the
certification and auditing process shall be shared

3.13.1 Timeline to send the report to the (certified) organization

The full audit report shall be sent to the (certified) organization, by the relevant BSI
country (auditor), within 2 weeks of the certification decision for all audits conducted.

3.14 Non-conformities

It is your site’s responsibility to respond to the non-conformities detailed in your audit

report by the designated time frame. Failure to do so may result in suspension or
cancellation of your certification.
Close out of non-conformities is via your BSI FSSC auditor. The auditor will review the
information provided and will either approve and close out the non-conformance or
request further information from your site until such time as the sufficient information has
been received. Certain non-conformances require a revisit to the site to confirm
satisfactory closure.

Page 26 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3.14.1 Nonconformities levels

BSI shall apply these criteria as a reference against which to determine the level of
nonconformities for findings in FSSC audits. There are three nonconformity (NC) grading
levels:

Nc Level Definition
A minor nonconformity shall be issued when the finding does not affect the
capability of the management system to achieve the intended results.
Minor

A major nonconformity shall be issued when the finding affects the capability of the
management system to achieve the intended results.
Major

A critical nonconformity is issued when a direct food safety impact without

appropriate action by the organization is observed during the audit or when legality
Critical
and/or certification integrity are at stake.

In case of non-conformities noticed in a Head Office audit, these are assumed to have
impact on the equivalent procedures applicable to all sites. Corrective actions shall
therefore address issues of communication across the certified sites and appropriate
actions for impacted sites. Such nonconformities and corrective actions shall be clearly
identified in the relevant section of the site audit report and shall be cleared in accordance
with BSI procedures before issuing the site certificate.
Note:
 Repeat nonconformities are nonconformities (NCs) against the same clause in two
subsequent audits. Repeat minor NCs do not automatically have to be upgraded to
a major NC.
 The nonconformity shall be graded as per the definition. However, an additional NC
(major or minor – depending on the impact) may be raised against the relevant ISO
22000 clause (e.g., leadership and commitment (5.1), communication (7.4), etc.) in
the case of a systemic issue.
 In a similar manner, repeat major nonconformities do not automatically lead to a
critical nonconformity.

3.14.1.1 Minor nonconformity

1) the organization shall provide the BSI (within 21 calendar days from the last day of the
audit) with objective evidence of the correction, evidence of an investigation into
causative factors, exposed risks and the proposed corrective action plan (CAP);
2) BSI shall review the corrective action plan and the evidence of correction and approve it
when acceptable. BSI approval shall be completed within 28 calendar days after the last
day of the audit. Exceeding this timeframe shall result in a suspension of the certificate.

Page 27 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3) corrective action(s) (CA) shall be implemented by the organization within the timeframe
agreed with BSI;
4) effectiveness of implementation of the corrective action plan shall be reviewed, at the
latest, at the next scheduled on-site audit. Failure to address a minor nonconformity from
the previous audit could lead to a major nonconformity being raised at the next scheduled
audit

3.14.1.2 Major nonconformity

1) the organization shall provide to BSI (within 21 calendar days from the last day of the
audit) with objective evidence of an investigation into causative factors, exposed risks
and evidence of effective implementation;
2) BSI shall review the corrective action plan and conduct an on-site follow-up audit to
verify the implementation of the CA to close the major nonconformity. In cases where
documentary evidence is sufficient to close out the major nonconformity, BSI may decide
to perform a desk review. This follow-up shall be done within 28 calendar days from the
last day of the audit;
3) the major nonconformity shall be closed by BSI within 28 calendar days from the last
day of the audit. When the major cannot be closed in this timeframe, the certificate shall
be suspended;
4) where completion of corrective actions might take more time, the CAP shall include any
temporary measures or controls necessary to mitigate the risk until the permanent
corrective action is implemented.

3.14.1.3 Critical nonconformity

1) When a critical nonconformity is issued at a certified site the certificate shall be

suspended (within 3 working days of being issued) for a maximum period of six (6)
months. The certificate shall be withdrawn when the critical nonconformity is not
effectively resolved within the six (6) months timeframe.
2) when a critical nonconformity is issued during an audit, the organization shall provide
to BSI with objective evidence of an investigation into causative factors, exposed risks and
the proposed CAP. This shall be provided to BSI within 14 calendar days after the audit;
3) a separate audit shall be conducted by BSI between six (6) weeks to six (6) month after
the regular audit to verify the effective implementation of the corrective actions. This
audit shall be a full on-site audit (with a minimum on-site duration of one day). After a
successful follow-up audit, the certificate and the current audit cycle will be restored and
the next audit shall take place as originally planned (the follow-up audit is additional and
does not replace an annual audit). This audit shall be documented and the report
uploaded;
4) the certificate shall be withdrawn when the critical nonconformity is not effectively
resolved within the six (6) month timeframe;
5) in case of a certification audit (initial), the full certification audit shall be repeated.

Page 28 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3.15 Granting certification

Certification of an FSSC System shall be awarded to an organization with no outstanding

non-conformities. BSI will issue the certificate within 30 calendar days from the date of the
certification decision. The certificate expires three years after the date of the initial
certification decision. However, whilst the certificate is issued to the applicant site, it
remains the property of BSI under the conditions outlined in the contract.

3.16 Maintaining certification

To maintain FSSC certification, your site is required to ensure that surveillance and/or re-
certification audits occur within the required timeframe, ensure that no critical non-
conformities are raised at surveillance or re-certification audits, and that all major and
minor non-conformities are corrected within the time frame specified.

3.17 ICT audit approach and full remote audits

The standard method for conducting FSSC 22000 audits is either through full on-site
audits as described on this global scheme manual or partial on-site audits using the ICT
Audit Approach. Both of which are accredited and GFSI recognized options.
Information and communication technology (ICT) may be used as a remote auditing tool
during FSSC 22000 audits with the following applications and meeting the applicable
requirements of IAF MD4:
 For conducting interviews with people and review of policies, procedures or records
as part of the on-site audit;
 When utilizing the ICT Audit Approach
The FSSC 22000 full remote option is an accredited, non-GFSI recognized, voluntary option
that can only be utilized where access to the premises of the certified organization is not
possible as a direct result of a serious event, supported by a risk and feasibility
assessment.

3.17.1 Definition

 Full Remote Audit: A full remote audit is defined as an audit that takes place
entirely at a location other than that of the certified organization through the use of
ICT.
 ICT Audit Approach (Remote + On Site): FSSC 22000 audit as a split process
utilizing ICT. The ICT audit approach consists of 2 main steps being the remote audit
and the on-site audit.
 ICT: is the use of technology for gathering, storing, retrieving, processing, analyzing
and transmitting information. It includes software and hardware such as
smartphones, handheld devices, laptop computers, desktop computers, drones,
video cameras, wearable technology, artificial intelligence, and others

Page 29 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

3.17.2 ICT audit approach

The ICT audit approach consists of 2 main steps:

 Remote audit Component consisting of a document review and interviews with
key personnel using ICT.
 On-site audit Component focusing on the implementation and verification of the
FSMS (including HACCP), PRPs, the physical inspection of the production process
and any remaining requirements not covered during the remote audit.
During the remote audit, assessment activities are performed from a location other than
the physical location of the audited organization. The on-site audit, assessment activities
are performed at the physical location of the audited organization.
The following criteria will be used for assessing and approving the Use of ICT Audit
Approach:
 Maturity of the certified organization’s FSMS and performance history;
 Whether the certified organization permits and accommodates remote audit
activity (i.e. availability of records in electronic format or document reader)
including data protection and security measures;
 The ICT tools to be used;
 Whether the certified organization and/or BSI have the ability to provide
representatives capable of communicating in the same language;
 Whether BSI and the certified organization have the capability and ability to
conduct the remote audit in the chosen medium/forum of the remote audit;
 Impact on audit duration and audit planning e.g. where more time might be
required due to the use of ICT;
 The type of the related FSSC audit
When agreeing to utilize remote auditing techniques with a client it is important to
consider both general and specific information security considerations to ensure the
security of client information and to manage expectations. As part of the preparation for
the use of ICT, all certification legal and customer requirements related to confidentiality,
security and data protection shall be identified and actions taken by both client and BSI
country to ensure their effective implementation. This implies that both the auditor/BSI
and the auditee agree to the use of ICT and with the measures taken to fulfil these
requirements.
The following points must be considered as a minimum:
 All certification personnel are required to discard all information (excepted those
that constitute certification records) collected during the planning and execution of
the remote audit, once it has been completed;
 During the remote audit, no unauthorized recording (voice and /or video) is allowed;
 If recording is authorized, all recorded information (voice and /or video) shall only
be used as evidence for supporting the raising of certification findings and
conclusions.

Page 30 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

The ICT means to be used shall be tested with the certified organization before the
planned remote audit to confirm that the ICT is appropriate, suitable and effective.
Feasibility also depends on the online connection quality. In all instances where ICT
utilized is not functioning properly or preventing/hampering a robust audit, the audit shall
be aborted, and suitable follow-up actions determined along with the FSSC Global Scheme
Manager.
When using the ICT Audit Approach, the related audit duration will be calculated as per
FSSC scheme rules, however where rounding is applied, durations shall ONLY be
rounded upwards to the nearest half day taking into account that additional time might
be required to conduct the remote audit. This mandatory requirement to round upwards
may result in the ICT Audit approach duration calculation being different from the regular
FSSC onsite audit. Total on site audit duration does not include preparation activities or
reporting, and additional time is required for these activities as per the FSSC Scheme
Rules.
The remote audit component will typically be 0.5 - 1 day and the onsite verification audit
the remainder of the total duration of the regular annual audit. The onsite audit
component cannot be less than 1 day and shall at least be 50% of the total audit duration.
When determining the amount of time spent onsite and remotely, the outcome of the
assessment and the historical performance of the organization (including complaints and
recalls) shall be taken into consideration. For example, if the assessment demonstrated
that a remote audit is possible, but the historical performance of the organization has
been of concern, then the proportion of time spent onsite is expected to be increased.
If during the remote audit, time is consumed on issues such as network downtime,
unexpected interruptions or delays, accessibility problems or other ICT challenges, this
time shall not be counted as audit time and shall be documented on the report as a
deviation from audit plan, and the report shall also include the time added to comply with
the minimum required audit duration.
It is recommended that the remote and the onsite audit take place as close together as
possible, but in all cases the maximum timeline for completion of the audit (remote +
onsite) shall not exceed 30 calendar days.
In the case of serious events, the timeline may be extended to a maximum of 90 calendar
days, based on a clear and documented concession process and risk assessment by BSI.
The risk assessment shall consider the elements of IAF ID3 as a minimum and the
extension is only allowed where the efficiency and integrity of the audit will not be
compromised. Where concessions are granted by BSI and the 90 days timeline is applied,
the risk assessment shall be uploaded to the FSSC portal as part of the audit
documentation.
The ICT audit approach can be applied either in extraordinary situations or normal
circumstances and may be applied for the following audits:
 Stage 01;
 Surveillance;
 Re-certification;
 Head Office (where the corporate functions are controlled separately);

Page 31 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

(Note)
: In the year where an unannounced audit is due, the ICT audit approach may be used,
whilst still applying the requirements of FSSC V5. The prerequisite would be that the
onsite part of the shall be conducted first, followed directly by the remote audit with a
maximum period of 48 hours between the two audit components.
The remote audit includes a document review and interviews with key personnel which
includes (as mandatory) review at least following key FSMS elements:
 Document/procedure reviews;
 HACCP plans;
 Key changes since the last audit (where applicable);
 Product recalls and significant complaints;
 Status with regard to FSMS objectives and key process performance;
 Management review;
 internal audits;
 Interviews with management and key personnel.
The onsite audit serves as the verification audit for Food Safety Management System
(FSMS) implementation with a focus on the production processes and environment as well
as the remainder of the clauses not covered as part of the remote audit.
The onsite audit shall include as a minimum inspection/physical verification of PRPs, the
traceability test and implementation of the FSMS. The latter includes, but is not limited
to, the HACCP system, for example the effective operation of PRPs, verification of the
process flow diagram, OPRP and CCP monitoring and verification. It might be necessary to
review parts of the remote audit again to ensure implementation of requirements.
All the requirements of the Scheme shall be covered between the remote audit and the
onsite audit components and be clearly reflected in the audit plans, audit program and the
final audit report.
Any nonconformities identified during the audit (remote and onsite) shall be addressed in
line with the Scheme requirements.
 Where the audit (remote + on-site) is completed within 30 calendar days, one
nonconformity report is completed and the timeline for nonconformity closure starts
at the end of the on-site audit. Any nonconformities identified during the course of
the audit shall be communicated to the organization in a timely manner. BSI shall
provide a provisional NC BSI Sheet to the organization at the end of the remote
audit.
 In the case of a serious event and where the 30 calendar days for audit completion
is exceeded (based on a documented concession process and risk assessment by
BSI) any nonconformities identified as part of the remote audit shall be recorded
and a copy of the nonconformity BSI NC Sheet shall be left with the certified
organization at the end of the remote audit. The timeline for closure of these
nonconformities starts at the end of the remote audit. The timeline for closure of
NCs identified at the on-site audit starts at the end of the on-site audit.

Page 32 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

 Where a critical nonconformity is identified at any time during the audit (remote or
on-site), the certificate shall be suspended, and a full new on-site audit will be
required to lift the suspension within 6 months.
One audit report shall be produced covering both the remote and the onsite audit
components.
The audit report shall clearly identify the extent to which any ICT has been used in
carrying out the audit and the effectiveness of ICT in achieving the audit objectives. The
audit report shall include all summarized information, findings and nonconformity details
of both the remote and onsite audit, covering all Scheme normative requirements and
meeting the requirements. The report shall also reference the dates and the duration of
the onsite and remote audits and the auditor/s involved in both parts. The requirements
assessed during the remote audit shall be identified by placing a “R” at the beginning of
the information.

3.17.1 Full remote audit

The FSSC 22000 full remote option is an accredited, non-GFSI recognized, voluntary
option that can only be utilized where access to the premises of the certified
organization is not possible as a direct result of a serious event, supported by a
risk and feasibility assessment. Mutual agreement between BSI and the certified
organization is required prior to conducting the full remote audit.
BSI shall conduct an assessment to evaluate the risk of continued certification and review
the planned audits when on-site auditing is not possible. A full remote audit may also be
considered as an option when planning the audits and where this audit methodology is
supported by the feasibility and risk assessments.
In the first instance BSI shall conduct a risk assessment to determine the impact of the
serious event on the current certification status of the certified organization. The full
remote audit option can only be utilized when the risk of maintaining certification is
determined as being low.
Secondly, BSI shall conduct a feasibility assessment to determine, in conjunction with the
certified organization, whether a full remote audit is a viable option and to determine if
the full audit objectives can be achieved through the use of ICT.
The following is considered when conducting the feasibility assessment through the
PF1414, which you will be required to filled:
 Maturity of the certified organization’s FSMS and performance history;
 Whether the certified organization permits and can accommodate remote auditing
(i.e. availability of records in electronic format or document reader) including
specific data protection and security measures;
 The ICT tools to be utilized;
 Whether the certified organization and/or BSI have the ability to provide
representative/s capable of communicating in the same language.
 Whether BSI and the certified organization have the capability and ability to
conduct the remote audit in the chosen medium/forum of the remote audit covering
all parts of the audit, including the production audit.

Page 33 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

 Impact on audit duration and audit planning e.g. where more time might be
required due to the use of ICT
 The feasibility of the audit should be determined to provide confidence that the
audit objectives can be achieved. The determination of feasibility should take into
consideration factors such as the availability of the following:
o Sufficient and appropriate information for planning and conducting the audit;
o Adequate cooperation from the auditee;
o Adequate time and resources for conducting the audit
For a full remote audit to be conducted, the site needs to be operational with production
taking place. In the event that the site has closed and/or no production is taking place, the
full remote audit option cannot be applied.
BSI shall ensure that ICT is used to optimize the efficiency and effectiveness of the
audit/assessment, while supporting and maintaining the integrity of the audit process.
The use of ICT shall be mutually agreed between the auditee and BSI in accordance with
information and data security measures and regulations before ICT is used. Video and/or
audio recordings, screenshots, and storage of evidence shall also be mutually agreed and
the BSI shall keep record of these agreements.
In all instances where ICT utilized is not functioning properly or preventing/hampering a
robust audit, the audit shall be aborted, and suitable follow-up actions determined in line
with the audit schedule and Scheme requirements along with the FSSC Global Scheme
Manager.
The ICT means to be used shall be tested with the certified organization before the
planned remote audit to confirm that the ICT is appropriate, suitable and effective
(considering all parts of the audit including but not limited to its use in the production
site). Feasibility also depends on the online connection quality.
The total audit duration based on the FSSC scheme rules shall be met. Where rounding is
applied, durations shall be rounded upwards to the nearest half day taking into account
that additional time might be required to conduct the remote audit. There is a need for
effective planning for the remote audit to ensure that it effectively achieves stated
objectives and minimum audit time. As a result, more time might be needed for the
planning process.
The full remote audit option is only applicable in the following cases when linked to a
serious event:
 Where the annual, announced FSSC 22000 surveillance or recertification audits are
impacted as a result of a serious event and cannot take place on-site;
 Transition (from another Scheme to FSSC) audits;
 Where follow-up audits to close out nonconformities cannot take place – this will be
dependent on the nature of the nonconformity, the suitability of the ICT and BSI
shall in all instances be able to justify the effectiveness of the methods used.
Critical nonconformities require an on-site follow-up audit in all instances;
 Special audit based on the outcome of the serious event risk assessment.

Page 34 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

Remote audit activities follow the same principles and format of the on-site audit activities
and includes a full audit against the Scheme requirements. Use of remote technology shall
ensure that adequate controls are in place to ensure a true representation of the site and
a robust audit.
All Full Remote Audits shall include:
 Opening meeting;
 Document review;
 Interviews;
 On Site facilities/infrastructure, manufacturing (and support) processes and storage;
 Intermediate conclusions meeting (between the audit team and/or with client) as
appropriate
 Closing meeting
It is therefore likely that different types and combinations of ICT will be used during the
same audit, that must be reviewed and agreed on as part of the feasibility and risk
assessment and audit planning process.
Remote audit activities follow the same principles of the on-site audit activities and where
nonconformities are identified, these are documented, graded and addressed as defined
in the Scheme requirements.
The Audit report shall comply with the FSSC Scheme requirements and clearly indicate
that the audit was conducted as a full remote audit. An overview shall be included in the
executive summary of the report providing details of the serious event and the extent to
which ICT was used, including different methodologies applied.
The audit report template to be used when ICT Audit Approach is applied are the same
used for the regular on site audit.
As part of the certification decision process, BSI shall review the audit program and take
into consideration the need for an on-site special audit and any changes required to the
audit program based on risk and the outcome of the audit. It remains the responsibility BSI
to ensure a proper and robust audit process and make an informed certification decision.
Where the outcome of the remote audit is to maintain (re-) certification, the certificate
shall be updated to reference that a Full Remote Audit was conducted. Following an on-
site audit (full on-site or via the ICT Audit approach), the certificate shall be updated and
the reference to Full Remote Audit removed.)

4 Managing audits

4.1 Head office functions

In all cases where functions pertinent to the certification are controlled by a head office
(such as procurement, supplier approval, quality assurance etc.), those functions shall be
audited, interviewing the personnel described in the food safety management system as
having the (delegated) authority and responsibility for these functions. The functions at
the head office shall be audited separately where they are not part of a site being
assessed.

Page 35 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

Every site belonging to the group shall have a: separate audit, separate report and
separate certificate
The head office audit shall be carried out prior to the site audit(s). The subsequent
audit at the site(s) shall include a confirmation that the requirements set out by head
office are appropriately incorporated into site specific documents and implemented in
practice.
The site audit reports and certificates shall show which FSMS functions and/or
processes have been audited at the Head Office.
All individual sites shall be audited within a time frame of 12 months from the audit
of the head office.
The Head Office cannot receive a separate certificate. The Head Office is mentioned
on the site certificate.
At each site audit, the implementation of the corrective actions shall be verified and
reported. In the event where non-conformities are raised in a head office audit, these are
assumed to have an impact on the equivalent procedures applicable to all sites. Corrective
actions shall therefore address the communication across all certified sites within the
group and appropriate actions for impacted sites. Such nonconformities and corrective
actions shall be clearly identified in the relevant section of the site audit report.

4.2 Off-site activities

Where one manufacturing or service process is split across more than one physical
address, all locations may be covered in one audit, considering that the different
addresses are:
 part of the same legal entity;
 under the same FSMS;
 the sole receiver/customer of each other.
Storage facilities at another location shall also be included in the same audit considering
they meet the requirements mentioned above.
The certificate scope statement shall show the audited locations with activities per
location.
The audit report shall include all relevant requirements at all locations and allow audit
findings to be identified as site specific.
Cross docking is considered as an offsite activity provided that:
 part of the same legal entity;
 under the same FSMS.

4.3 Multi-site certification

A multi-site organization is an organization having an identified central function (hereafter

referred to as a central office – but not necessarily the headquarters of the organization)

Page 36 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

at which certain FSMS activities are planned, controlled or managed, and a network of
sites at which such activities are fully or partially carried out.
Examples of possible multi-site organizations are:
 organizations operating with franchises;
 a manufacturing company with one or more production sites and a network of sales
offices;
 service organizations with multiple sites offering a similar service;
 organizations with multiple branches.
BSI can certify a multi-site organization under one management system, providing that
the following conditions apply:
 all sites are operating under one centrally controlled and administered FSMS;
 an internal audit has been conducted on each site within one year prior to
certification;
 audit findings of the individual sites shall be considered indicative of the entire
system and correction shall be implemented accordingly.
Multi-site certification (including sampling) is only allowed for category G (Transport and
storage).
A multi-site organization need not be a unique legal entity, but all sites shall have a legal
or contractual link with the central function of the organization and be subject to a single
management system, which is laid down, established and subject to continuous
surveillance and internal audits by the central function.
The central function shall be audited at least annually and before the BSI audits of the
(sampled) sites. If necessary, a small number of the sample sites may be audited prior to
the audit of the central function.
One audit report may be produced for the multi-site organization, including the central
function information and specific information about each site audited. The summary
sections of the audit report shall clearly reflect what was audited at each site with
supporting objective evidence.
Alternatively, separate reports may be produced for the Central function and each of the
sites, respectively.
The certificate shall be a group certificate.

4.3.1 Requirements for the central function

The central function shall hold the contract with BSI and request to include multi-site
sampling as part of the application process should they wish to include it.
It is the responsibility of the central function to ensure management commitment to the
FSMS and have sufficient resources and technical capacity in place to support the system
and the internal audit program. The central function shall be impartial from the sites (e.g.
have different/ dedicated employees, governance, management etc.). The central function
shall take responsibility for coordinating, addressing, and closing out of nonconformities
raised at site level in conjunction with the relevant sites. Failure of the central function or

Page 37 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

any of the sites to meet the Scheme requirements, shall result in the whole organization,
including the central function and all sites, not gaining certification.
Where certification has previously been in place, this shall initiate the BSI process to
suspend or withdraw the certification.

4.3.2 Nonconformity management (for multi-sites)

Nonconformities raised at multi-site organizations shall follow the same scheme

requirements established on this manual and:
 When nonconformities are found at any individual site, either through the
organization’s internal auditing or from auditing by BSI, investigation shall take
place to determine whether the other sites may be affected. Therefore, BSI shall
require the organization to review the nonconformities to determine whether or not
they indicate an overall system deficiency applicable to other sites. If they are
found to do so, corrective action shall be performed and verified both at the central
function and at the individual affected sites. If they are found not to do so, the
organization shall be able to demonstrate to BSI the justification for limiting its
follow-up corrective action.
 BSI shall require evidence of these actions and increase its sampling frequency
and/or the size of sample until it is satisfied that control is reestablished. At the time
of the decision-making process, if any site has a major nonconformity, certification
shall be denied to the whole multi-site organization of listed sites pending
satisfactory corrective action.
 It shall not be admissible that, to overcome the obstacle raised by the existence of
a nonconformity at a single site, the organization seeks to exclude from the scope
the "problematic" site during the certification process.
 Where a critical nonconformity is identified, the certificate of the multi-site
organization shall be suspended within 3 working days of issuing the critical
nonconformity, regardless of whether or not all the site audits have been
completed;
 Where a major nonconformity is identified and the audit takes more than 30
calendar days to complete (central function and site audits), the organization shall
provide a corrective action plan including any temporary measures or controls
necessary to mitigate the risk until the nonconformity can be closed.
 The timeline for closure of nonconformities start at the end of the audit after
completion of the central function audit and all the site audits.

4.4 Unannounced audits

4.4.1 Frequency

BSI shall ensure that for each certified organization at least one surveillance audit is
undertaken as an unannounced audit after the initial certification audit and within each
three (3) year period thereafter.

Page 38 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

The certified organization can voluntarily choose to replace all surveillance audits by
unannounced annual surveillance audits. Recertification audits may be conducted
unannounced at the request of the certified organization. When this situation applies, the
PF1124 (FSSC v5.1 unannounced audit form & blackout dates) shall be completed by the
certified organization.
The initial certification audit (stage 1 and stage 2) cannot be performed unannounced.

4.4.2 Unannounced audit execution

1) Your organization will not be notified in advance of the date of the unannounced audit
and the audit plan will not be shared until the opening meeting.
2) The unannounced audit takes place during normal operational working hours including
night shifts when required.
3) Blackout days may be agreed in advance.
4) The audit will start with an inspection of the production facilities commencing within 1
hour after the auditor has arrived on site. In case of multiple buildings at the site the
auditor shall, based on the risks, decide which buildings/facilities shall be inspected in
which order.
5) All Scheme requirements shall be assessed including production or service processes in
operation. Where parts of the audit plan cannot be audited, an (announced) follow-up
audit shall be scheduled within 4 weeks.
6) If the certified organization refuses to participate in the unannounced audit, the
certificate shall be suspended immediately, and BSI will withdraw the certificate if the
unannounced audit is not conducted within a six-month timeframe from the date refusal.
7) The audit of separate Head offices controlling certain FSMS processes pertinent to
certification separate to the site(s) shall be announced . Where Head Office activities are
part of a site audit, they shall be unannounced.
8) Secondary sites (off-site activities) and off-site storage, warehouses and distribution
facilities shall also be audited during the unannounced audit.

4.4.3 Actions if organization refuses to participate in the unannounced

audit

If the certified organization refuses to participate in the unannounced audit, the certificate
shall be suspended and BSI shall withdraw the certificate if the unannounced audit is not
conducted within a six-month timeframe from the date refusal.

4.5 Additional scheme / combined & integrated audit

Where the FSSC 22000 audit is undertaken in combination with other food safety audits as
a combined audit, the duration shall be increased on the top of the FSSC 22000. The
minimum FSSC audit duration shall always be respected.
The audit time stated in the report shall be of the total combined audit and match with the
audit plan, with the contract review approved and also with the FSSC SMO(s) in PG. Total

Page 39 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

audit duration is then longer than for FSSC 22000 alone. This is considered as an increase
in audit duration and the reason for this shall be justified in the contract review form. A
separate report shall be created for each specific scheme.

4.6 Transfer of certification

BSI shall follow the requirements of GP031 (Transfer of Certification to BSI _ that takes into
consideration IAF MD 2) for all FSSC 22000 transfers of certification.
It is not allowed perform transfer review process prior to the contract review stage have
been successful concluded.
The programme of on-going surveillance or recertification shall be based on the previous
certification cycle. The next “on cycle” audit can just be planned and delivered for clients
that have successful completed the transfer process, hosting a BSI certificate. CAV or
Recertification cannot be delivered for clients that do not hold an active BSI
certificate.
When a certificate is transferred from a CB to BSI, the decision date linked to the transfer
becomes the new initial certification date linked to BSI.

4.7 Transition audits

Transition audits are allowed from ISO 22000 and GFSI recognized certification programs
with equivalent scopes.
Transition audits are the start of a new certification cycle and shall therefore be a stage 2
audit.
The FSSC 22000 certificate issued shall have a validity of 3 years.
Transition audits are only allowed from a valid certificate issued by BSI. A transition audit
CANNOT be performed from a certificate issued by another CB. For this case, clients shall
be first transferred and have their BSI certificate issued. Only after that, the transition
audit can be performed provided that the certificate is not expired and if the intended
scope falls into one of the FSSC 22000 categories that BSI is accredited for.

4.8 Extension and reduction of scope

Extension of scope: BSI shall, in response to an application for expanding the scope of a
certification already granted, undertake a review* of the application and determine any
audit activities necessary to decide whether or not the extension may be granted. This
may be conducted in conjunction with a surveillance audit or with a re-certification or
separate from the audit cycle being conducted as special audit.
(* This review shall be performed by an approved FSSC contract reviewer only).
Reduction of scope:
 Where during an assessment the assessor identifies that the client has ceased to
perform a referenced activity and that this activity should be removed from the
scope of certification, the assessment team leader shall advise this via audit report.

Page 40 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

It should be clear from the documentation provided which elements of the scope
are being removed.
 When BSI has evidence that a client holds a certificate where scope exceeds the
capability or capacity to meet scheme requirements, BSI shall reduce the
certification scope accordingly.
BSI shall not exclude activities, processes, products or services from the scope of
certification when those activities, processes, products or services can have an influence
on the food safety of the end products as defined in the scope of certification.
Any reduction in durations or visit cycles shall be reviewed and approved by an approved
FSSC 22000 contract reviewer only.

4.9 Follow up audits

Definition of follow up audits: An additional audit to a regular audit for which an extra visit
is required when the audit could not be completed in the planned time and/or the audit
plan could not be realized completely or when on-site investigation of a (major) NC is
required. As a follow-up is part of a regular audit, it shall be completed within a short time-
frame from the main audit.
A follow-up audit is required in following situations:
 When not enough information can be obtained after an unannounced audit to take
a certification decision. The missing parts shall be audited within 4 weeks (see PP
1286).
 After a major non-conformity for verification of the corrective action plan to close
the NC. This follow-up shall be done within 28 calendar days from the last day of
the audit.
For the above situations the follow-up audit is a part of a regular audit (initial, surveillance
or re-certification) and has to be completed before a certification decision can be taken.
The follow-up activities shall be documented in the report of that regular audit.

4.10 Special audits

Definition of special audits: Audits at certified organizations that are performed on top of
the annual surveillance/recertification audits.
Additional special audits shall be performed on top of FSSC audit and never as a
replacement of the annual surveillance/ recertification audits.
Reasons to conduct a special audit may be for example:
 Scope extension in between regular audits
 Changes in the company (e.g. ownership)
 Short notice audits (see also ISO/IEC 17021-1 9.6.4) to follow up on complaints,
after a major recall etc.
 To lift suspensions

Page 41 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

Special audits may be conducted announced or unannounced and shall be reported

separately from the regular audits.
The objective of a special audit is to assess whether the certificate is still valid. Therefore,
a decision on the certification status shall be taken. This is a formal certification decision
and shall be documented as such. A special audit can lead to a suspension or withdrawal
of the certificate, or to an extension or reduction of the scope.
Special audits shall be recorded on PF1445 (FSSC Special Audit Report).

4.11 Short – notice audits

It may be necessary for BSI to conduct audits of certified clients at short notice or to
complete an unannounced audit to investigate complaints, or in response to significant
changes, or as a follow up for suspended clients.

5 Implementation of FSSC 22000

5.1 Learn about the FSSC 22000 Scheme

There are several ways to learn how to implement the FSSC 22000 Scheme within your
food business. The following options are available:
 Attend an FSSC 22000 Training course available through the BSI Training Academy
(refer to your local BSI office or website)
 Train yourself by downloading the necessary documents from the FSSC website.

5.2 FSSC 22000 v5.1 Documents

FSSC 22000 v5.1 scheme documents are available at FSSC Website.

5.3 FSSC Database

The FSSC Foundation maintains a Register of Certified Sites with the names and
information of all certified sites. This register is publicly available on the FSSC website.
For all FSSC 22000 audit types, the required data and documentation shall be entered in
the FSSC Portal at the latest 28 calendar days after the certification decision with a
maximum of 2 months after the last day of the audit.

5.3.1 Data ownership

A (certified) organization is the owner of an audit report (regarding the decision about who
the report may be shared with), whilst BSI is responsible for the report data and therefore
holds the ownership of the audit report content.
A (certified) organization is the certificate holder, not the owner. BSI is the data owner of
the certificate data.

Page 42 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

5.3.2 BSI Portal on FSSC Database

a) When requested by the certified organization, BSI shall actively provide the Certified
Organization access to the associated Organization Profile, Audit and Certification data
registered in the CB Portal using the available functionality.
b) The certified organization access will only be granted to authorized individual(s).

6 Certificate Suspension, Withdrawal or Scope Reduction

1) Suspension: BSI shall immediately suspend certification when a critical nonconformity is

issued and/or there is evidence that their client is either unable or unwilling to establish
and maintain conformity with Scheme requirements
2) Withdrawal: BSI shall withdraw a certificate when:
 the status of suspension cannot be lifted within six (6) months;
 the organization ceases its FSSC 22000 certification activities;
 any other situation where the integrity of the certificate or audit process is severely
compromised.
3) Scope reduction: When BSI has evidence that client holds a certificate whose scope
exceeds their capability or capacity to meet scheme requirements, BSI shall reduce the
certification scope accordingly. BSI shall not exclude activities, processes, products or
services from the scope of certification when those activities, processes, products or
services can have an influence on the food safety of the end products as defined in the
scope of certification.

6.1 Action Upon Suspension, Withdrawal and Scope Reduction

1) In case of suspension or withdrawal, the organizations’ management system

certification is invalid.
BSI shall complete the following actions within 3 working days after the certification
decision has been made:
 change the status of the certified organization in the Portal and its own Register of
certified organizations and shall take any other measures it deems appropriate;
 inform the organization in writing of the suspension or withdrawal decision within
three (3) days after the decision was made;
 instruct the organization to take appropriate steps in order to inform its interested
parties.
2) In case of scope reduction, the organizations’ management system certification is
invalid beyond the revised certification scope statement.
BSI shall complete the following actions within 3 working days after the certification
decision has been made:
 change the scope of the certified organization in the FSSC 22000 database and its
own Register of certified organizations and shall take any other measures it deems
appropriate;

Page 43 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

 inform the organization in writing of the scope change within three (3) days after
the decision of change;
 instruct the organization to take appropriate steps in order to inform its interested
parties.

7 Use of Marks (FSSC, ANAB and BSI)

To acess FSSC logos, BSI Marks of Trust (assurance marks) and ANAB logo please contact
[email protected]
To access the insructions for use to promote your BSI certification access Guidelines for
use related to ANAB and BSI Marks.
For Guidance about FSSC logo use, see section below.

7.1 Use of the FSSC Logo

Certified organizations can use the FSSC 22000 logo only for marketing activities such as
organization's printed matter, website and another promotional material.
In case of using the logo, the organization shall comply with the following specifications:

Use of the logo in black and white is permitted when all other text and images are in black
and white.
The certified organization is not allowed to use the FSSC 22000 logo, any statement or
make reference to its certified status on:
 a product;
 its labelling;
 its packaging (primary, secondary or any other form);
 in any other manner that implies FSSC 22000 approves a product, process or
service.

7.2 Use of the FSSC logo by Certified Organizations

 The FSSC logo may be used on the organization’s printed matter, literature,
business cards, website and promotional material subject to the design
specifications.
 The FSSC 22000 logo may NOT be used either on a product, its labelling or its
packaging, or in any other misleading manner, so as to suggest that the

Page 44 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

certification body has certified or approved any product, process or service of a

certified organization.
 Mentioning possession of an FSSC 22000 certificate or making any reference
such as “Produced in an FSSC 22000 certified company” on a product label or
packaging is not allowed.
 BSI will audit the use of the FSSC 22000 logo by certified organizations during
every surveillance and re-certification audit. Any non-conformance associated
with the use of the logo will be required to be managed as per the Scheme
requirements for nonconformity management.

7.3 Design of the FSSC Logo

 The FSSC 22000 logo shall be reproduced in the specified colors, as per the FSSC
22000 Additional Requirement 2.5.5, and in a size that makes all features of the
logo clearly distinguishable.
 Use of the logo in black and white is permitted when all other text and images
are in black and white.

7.4 FAQ's regarding FSSC logo

In addition to the requirements laid out in Part 2, Section 2.5.5 of the Scheme, the below
guidance has been established based on the most common enquires the Foundation
receives on the use of the FSSC 22000 logo:
 Question: May the FSSC 22000 logo be included on the product’s packaging
(primary, secondary or tertiary) or label?
o Answer: No
 Question: May a product’s packaging indicate “Manufactured in an FSSC 22000
Certified facility”?
o Answer: No
 Question: We are a certified organization; may we brand the clothing/uniform we
issue our staff with the FSSC 22000 logo or indicate another related statement on
the clothing/uniform?
o Answer: No
 Question: May we (CB) issue one of our certified organizations with a flag with the
FSSC 22000 logo on it?
o Answer: Yes, a flag may have the FSSC 22000 Logo present, as long as the
CB is issuing the flag, and that all the requirements as laid out in the
Scheme, Part 2, Section 2.5.5 are adhered to. The CB is responsible for
ensuring the flags issued meet the Scheme requirements, and that it is only
issued to their FSSC 22000 certified organizations.
 Question: Many certified organizations are asking us whether it is possible to
mention on the product’s packaging or label that they have been certified for FSSC
22000 by our CB. They will not use the logo, only the wording of the
standard/schemes name. Is this allowed?
o Answer: No

Page 45 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

 Question: May we use the FSSC 22000 logo on our training material or the
delegate’s certificate?
o Answer: The FSSC 22000 logo is not allowed to be used on training material
or the certificate unless the training organization has a license with the
Foundation.
 Question: May the FSSC 22000 logo be used on business cards?
o Answer: Yes
 Question: Is a certified organization permitted to use the FSSC 22000 logo on the
side of its vehicles or transport units?
o Answer: No
 Question: Our organization is certified to FSSC 22000 and co-packs products for a
client. May our client indicate the logo on their website?
o Answer: The FSSC logo may only be used by the FSSC 22000 certified
organization, not their clients, so it would not be possible for the client to use
the logo on their website. They may reference that they use FSSC 22000
certified organizations to produce their products, but it can be a statement
on a website only, the logo may not be displayed.
 Question: Are there any rules and requirements about the use of social media to
promote FSSC in terms of services as well as when the client wants to promote that
they have achieved FSSC 22000 certification?
o Answer: There are no specific rules or requirements regarding promotion on
social media, other than following the requirements for logo usage as
outlined in the Scheme.
 Question: May we change the color of the logo?
o Answer: You may change the size of the logo (smaller or larger) as long as it
is still proportional, however not the color.
 Question: May the logo be used on a COA or on the Product Specification?
o Answer: No

8 Confidentiality

BSI will keep confidential information confidential for a period of 6 years after it has
received it and will not use or disclose it except for the purpose of exercising or
performing its rights and obligations under the contract, or to the extent required by law,
or by any governmental or other regulatory authority, or accreditation authority, or by a
court or other authority of competent jurisdiction and/or by the Foundation.
In these cases, BSI will not be required to notify you of such disclosure and will not be
required to oppose any demand made by such entities.
The ownership of the certificate and the audit report content of your site is held by BSI. At
the request of food safety authorities, information related to the certification and auditing
process shall be shared.

9 Additional Obligations

Following certification, there are a number of managerial responsibilities which your site
will need to fulfil to maintain BSI’s certification. These include:
 Continued compliance with the relevant systems standard(s) or code(s) of practice;

Page 46 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

 Compliance with BSI’s Standard Commercial Terms and Conditions and obligations
as specified in this document as well as other guidance documentation that may be
specifically provided from time-to-time;
 Conduct of regular internal reviews of your system, with appropriate documentation
of such reviews and of any subsequent corrective actions;
 Notification to BSI of any significant changes in the structure (key responsibilities
and management system), ownership and operations of your site to enable the
impact of such changes on the certified ownership system to be evaluated; and
 Notification to BSI of any litigation or serious events or matters that relate to the
scope of your certification within twenty-four (24) hours of the event.

9.1 Complaints

Your site is required to keep a record of all known complaints. These records must be
made available to the audit team and BSI when requested.
Your site is required to demonstrate that you have taken appropriate action to address
these complaints through investigation and correct any deficiencies found. These actions
must be documented.

9.2 Certification Agreement

Your site is required to meet the requirements of the certification agreement. This
requires that your site and products remain compliant with the scheme requirements and
the conditions of certification at all times.
Your site is required to implement appropriate changes as communicated by BSI in a time
appropriate manner.

9.3 Assessment Scheduling

Your site is required to make all necessary arrangements to allow the evaluation and
surveillance activities to take place. This includes but is not limited to; Equipment,
Product, Locations, Personnel and Sub-contractors.

9.4 Misleading Statements

Your site is not permitted to use its certification in a manner that could bring BSI into
disrepute. This includes making misleading or unauthorized statements. If you are
unsure if a statement could be misleading you are advised to contact BSI prior to making
the statement. Statements include but are not limited to advertising (including your
website) and internal communication. The use of the logo on product and product
packaging is not permitted.
If your site is required to provide copies of certification documents these must be
reproduced in its entirety. Failure to do so may be misleading to the recipient as to the
scope of certification.

Page 47 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

9.5 Communication Obligations

Your organization has the obligation to communicate with your local BSI office within 3
working days related to the following:
a) any significant changes that affect the compliance with the Scheme requirements and
obtain advice of BSI in cases where there is doubt over the significance of a change;
b) changes to organization name, contact address and site details;
c) changes to organization (e.g. legal, commercial, organizational status or ownership) and
management (e.g. key managerial, decision-making or technical staff);
d) changes to the management system, scope of operations and product categories
covered by the certified management system;
e) an extraordinary event affecting a certified site or BSI may temporarily prevent BSI
from carrying out planned audits on-site. When such a situation occurs, BSI in consultation
with the certified site will need to determine a reasonable planned course of action;
f) any other change that renders the information on the certificate inaccurate.

9.6 Agreement on information sharing

By accepting the BSI quote the certified organization allows BSI to share information
relating to the certification and auditing process with the Foundation, GFSI and
governmental authorities when required.

9.7 Management of extraordinary serious event

In case your organization is affected by public food safety incidents (such as e.g. public
recalls, calamities, food safety outbreaks, etc.) BSI shall be notified within 02 working days
through [email protected]. An incident form (PF1414) will be sent to the client
which in turn has:
 2 business days after receiving the request, to send part I of the PF1411 completed
in full, to the related BSI country
AND
 10 business days after receiving the initial request, to send part II of the PF1411
completed in full, to the related BSI country.
Non compliance to be timelines stated above will lead to the suspension of the certificate.
Reocurrance of recalls may also lead to suspension fo the certification.
The information related to the recall will be evaluated and BSI will decide the course of
action regarding action needed as well as the status of the certification.
Note : In the case where during an FSSC audit, the BSI auditor identifies that the certified
organization has not communicated a recall to BSI, a major NC against the site must be
raised against 8.9.5 of ISO 22000.
There is no obligation to communicate product withdrawals to BSI. The definitions of
product withdrawal and product recall are listed below for reference:

Page 48 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

 Product Recall: The removal by a supplier of a product from the supply chain that
has been deemed to be unsafe and has been sold to the end consumer and is
available for sale.
 Product Withdrawal: The removal of a product by a supplier from the supply chain
that has been deemed to be unsafe and which has not been placed in the market
for purchase by the end consumer.
Based on the information provided, the BSI may need to notify Foundation FSSC about
some recalls.
In case your organization is affected by serious events that impact the FSMS, legality
and/or the integrity of the certification which includes legal proceedings, prosecutions,
situations which pose major threats to food safety, quality or certification integrity as a
result of natural or man-made disasters (e.g. war, strike, terrorism, crime, flood,
earthquake, malicious computer hacking, etc.), BSI shall be contacted within 03 working
days through [email protected].
BSI will manage extraordinary serious event as per as per FSSC v5.1 requirements.

9.8 Observers

 From time to time BSI requires an observer to be in attendance at an audit. This

may be related to training of new staff and witness assessment of existing staff. It
is a requirement of certification that your site allows these activities to occur.
 BSI will, at all times, ensure that the use of observers is kept to a minimum and
your site will be advised prior to the assessment activity.
 The observer does not take an active part in an assessment.
 By accepting the FSSC BSI quote your organization accept cooperate with such
process

9.9 Winessing Assessment by CB

From time to time the accreditation body and /or the Foundation FSSC requires a
performance ofa witnessing process. By accepting the FSSC BSI quote your organization
accept cooperate with such process that can be conducted on site or remotely in which
the normal confidentially requirement applies.

9.10 TE (Technical Expert) use by CB

BSI may need to use a TE during an FSSC audit. By accepting FSSC proposal presented by
BSI your organization accepts to cooperate with such process that can be conducted on
site or remotely in which the normal confidentially requirements apply.

9.11 FSSC Website

It is an FSSC scheme requirement for your site’s details to be displayed on the FSSC
website.

Page 49 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

9.12 Complaints and Appeals

Appeals relating to the reconsideration of a decision made by BSI shall be considered if

received within 10 calendar days of the decision or the closing meeting of an audit.
Notification of the appeal shall be made in writing by the client.
Appeals shall be sent to [email protected]
BSI will also investigate legitimate documented complaints, relevant to operation of
the system, from clients/ customers of certified s i t e s , T h e F S S C F o u n d a t i o n and
the accreditation body (ANAB). Certified sites shall, at all reasonable times, provide
representatives of BSI, FSSC or ANAB with access to its premises and records for the
purposes of investigating such complaints.
If your site’s application for certification has been refused; or your certified site’s
certification has been suspended, withdrawn, or reduced in scope, you may appeal against
the decision. All complaints will be investigated and the originator of a complaint will be
advised of the outcomes, as appropriate.
Where necessary a Review Committee will be established and operated as set out below:
 The appellant shall, within 28 days of the disputed advice from BSI, lodge a written
notice of appeal with an affidavit as to the grounds of appeal;
 The BSI Global Operations & Compliance Management Group shall be advised
within 14 days of receiving the appellant’s notice;
 The Global Operations & Compliance Management Group shall then establish a
Review Committee;
 The Review Committee shall consist a minimum of three persons considered as
experts in the area of technology or business relevant to the appeal. The Review
Committee shall be constituted as follows:
o One-person expert in the relevant area of technology or business
o Two persons selected by the appellant from a list of four persons
 The appellant shall represent himself and no legal representation will be allowed
unless approved by the Review Committee; and
 The Review Committee will carry out investigations as are required, including
assessment of information supplied by the appellant and, within a reasonable time,
decide by majority vote whether or not to reverse the original decision.
 The Global Food and Retail Supply Chain Operations and Compliance Director shall
give notification of the decision to the appellant within 14 days of the Review
Committee decision

10 Impartiality

10.1 In house and open FSSC external trainings

An auditor can conduct public FSSC 22000 training with attendance from a company that
they are the certification auditor for. However, the same auditor cannot conduct in-house
training and then deliver certification work (without a break of 02 years).

Page 50 of
51
 PP1268
FSSC 22000 v5.1 Certification requirements
Revision 19 (January 2023)

Note: in-house training means training provided in the client´s site or attended only by
one organization’s team.

10.2 Consultancy

FSSC 22000/FSMS consultancy shall not be provided by either BSI or any part of the same
legal entity for a period of 2 years prior to any certification activity.

10.3 Auditor rotation in FSSC 22000 certification audits

An auditor is not allowed to perform more than two (2), three (3)-year certification cycles
at the same certified site either as lead auditor or team member. If an auditor starts
auditing within a certification cycle, he/she will be rotated out after six (6) years for a
minimum of one year.

Page 51 of
51